[TLS] Next protocol negotiation
Adam Langley <agl@google.com> Wed, 20 January 2010 13:20 UTC
Return-Path: <agl@google.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D830B3A683C for <tls@core3.amsl.com>; Wed, 20 Jan 2010 05:20:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -107.977
X-Spam-Level:
X-Spam-Status: No, score=-107.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, GB_I_LETTER=-2, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eEr7jQF+U66z for <tls@core3.amsl.com>; Wed, 20 Jan 2010 05:20:28 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.33.17]) by core3.amsl.com (Postfix) with ESMTP id 64D6E3A6902 for <tls@ietf.org>; Wed, 20 Jan 2010 05:20:27 -0800 (PST)
Received: from kpbe18.cbf.corp.google.com (kpbe18.cbf.corp.google.com [172.25.105.82]) by smtp-out.google.com with ESMTP id o0KDKL85022854 for <tls@ietf.org>; Wed, 20 Jan 2010 13:20:22 GMT
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1263993622; bh=KUBT+RuyTYIU7+SuiU8UHRcbggY=; h=MIME-Version:Date:Message-ID:Subject:From:To:Content-Type; b=Q3Jj2T1r06lrbFj6qFsUil5mEZVXrkGDD00cE+FsTHyUL8sPGCU1HJx9E1B8GzCfv K4aj1EtAWwwm4TPRj+CBA==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:date:message-id:subject:from:to:content-type:x-system-of-record; b=kAJ/JPR3GySaB+qetb5VlXzTWPLlrHQo0MzDHwcOm1T0Wx94nuMDCZbvpf6wyfwRT XQoxA0kYHtmOEjr/83K7g==
Received: from iwn6 (iwn6.prod.google.com [10.241.68.70]) by kpbe18.cbf.corp.google.com with ESMTP id o0KDKKJS012868 for <tls@ietf.org>; Wed, 20 Jan 2010 05:20:21 -0800
Received: by iwn6 with SMTP id 6so3631464iwn.15 for <tls@ietf.org>; Wed, 20 Jan 2010 05:20:20 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.169.144 with SMTP id z16mr2100509iby.25.1263993620597; Wed, 20 Jan 2010 05:20:20 -0800 (PST)
Date: Wed, 20 Jan 2010 05:20:20 -0800
Message-ID: <a84d7bc61001200520t4e3be7d4sb0bb614abb0b5e4e@mail.gmail.com>
From: Adam Langley <agl@google.com>
To: tls@ietf.org
Content-Type: text/plain; charset="UTF-8"
X-System-Of-Record: true
Subject: [TLS] Next protocol negotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2010 13:20:32 -0000
(This email is the 'cover letter' for http://www.ietf.org/internet-drafts/draft-agl-tls-nextprotoneg-00.txt, which had been waiting for the renegotiation issue to die down a little.) The reaction to the announcement of SPDY[1] (a new presentation layer for HTTP) has been surprisingly positive, except for our choice to use TLS. Correspondents have suggested that TLS is slow, expensive, troublesome to administer and unnecessary. We disagree on these points and have tried to correct misunderstandings and out of date information where we have found them. But we have found that people are generally unaware of one of the central reasons for using TLS: there is no other choice for new protocols. For our development of WebSockets for WebKit (and, thus, Chrome and Safari) we setup an experiment to find out how many hosts on the Internet could setup a WebSockets connection. (WebSockets uses an HTTP Upgrade header over port 80 or 443). The experiment tries to perform a trival WebSockets transaction over HTTP, over HTTP on a random, high numbered port (61985) and over HTTPS. This experiment is run via Chrome for users who have opted in. These are normal requests in the Chrome network stack and so will use any configured proxies. Excluding users that couldn't even do basic a HTTP transaction over the transport layer (6.37%, 10.15% and 7.91%, respectively), the success rates are: HTTP (port 80) 67% HTTP (port 61985) 86% HTTPS (port 443) 95% This results in overall sucess rates of 63%, 77% and 87%, respectively. I stress that these results are preliminary. In time we want a larger sample size and to better understand the various failure cases. We would also like to point out that there is a strong preselection bias in effect here. We believe that Chrome is likely to be underrepresented on networks with strong central control. We also believe that those networks are more likely to contain pertinent middleware. The true success rate over HTTP in the real world could be less than 50%. Even at this early stage, it's clear that TLS over port 443 is by far the best transport for a new protocol. Since we have lost TCP port numbers as a means of protocol disambiguation we added another mechanism into the TLS handshake. This is described in the accompanying draft. Alternatives: We considered several alternatives to this design. We could have wrapped the first request in an HTTP presentation. Base64 encoding and the HTTP headers increase the size of the request. Later disambiguation makes the server side code less modular. Lastly, it simply strikes one as the wrong thing to do; admiting defeat and accepting an accumulation of protocol detritus. We could have had the client advertise a list of protocols in the ClientHello and had the server select one in the ServerHello. Instead we moved the final protocol selection under the cover of the secure transport. Although this is probably not needed in our case, we intend this mechanism to be generally useful. Without this protection, we fear that network middleware might use the protocol selection to discriminate against certain protocols. For example, a by dropping all TCP connections that tried to negotiate the "tor" protocol. We could also have moved the NextProtocol handshake message after the Finished message. At the time we didn't because the NextProtocol is needed before reading the first bytes from the connection and the processing of the Finished message triggers handshake complete callbacks in the TLS libraries that we are working with. After having implemented this several times we are less concerned about these code changes. We consider moving NextProtocol after the Finished message to be perfectly reasonable and have no strong opinions either way. Currently unspecified behaviour: Several aspects of the design have been deliberatly omitted from the draft because we didn't want to pin them down at this point. These include the behaviour of the parties when it comes to protocol selection. Our current code follows this algorithm: Let the client and server know an ordered set of protocols, where a protocol is a non-empty byte string less than 256 bytes long. The client's set must be non-empty. A protocol is serialised by prepending a 8-bit length. An ordered set of protocols is serialised by serialising each element in order. The server includes its (possibly empty) set in the ServerHello. If the set is empty, the client selects the first protocol in its set (case A). Otherwise, the client finds the first of the server's protocols that is included in its own set. If such a protocol exists, the client selects it (case B). If no such protocol exists, the client selects the first protocol in its list (case C). The selected protocol is sent in the NextProtocol message. The client's TLS library returns the selected protocol and the case (A, B or C) that resulted. This allows the server to pick the most preferable protocol if the client and server mutually support several. It also allows the client to force the selection of a certain protocol, even if the server doesn't advertise it by only including a single protocol in its set. (An example would be a Tor client, assuming that Tor servers would want to advertise something more common, like HTTP.) Although this behaviour is important, we are still experimenting and so we have not yet included this in the draft. Assignment of protocols: Should this be adopted, a registry of protocols may be worthwhile to prevent multiple protocol byte strings for the same protocol. Since the code space is so large, this registry can afford to have very low requirements. It need only reflect reality. At the present time, we are using two protocols: 68747470312e31 HTTP 1.1 (RFC 2616) 73706479 Experimental (SPDY) Implementations: We have client and server implementations for OpenSSL and a client implementation for NSS. Both available on request. Cheers AGL [1] http://www.chromium.org/spdy [2] http://dev.w3.org/html5/websockets/
- [TLS] Next protocol negotiation Adam Langley
- [TLS] Next protocol negotiation Adam Langley
- Re: [TLS] Next protocol negotiation Nikos Mavrogiannopoulos
- Re: [TLS] Next protocol negotiation Adam Langley
- Re: [TLS] Next protocol negotiation Nikos Mavrogiannopoulos
- Re: [TLS] Next protocol negotiation Adam Langley
- Re: [TLS] Next protocol negotiation Marsh Ray
- Re: [TLS] Next protocol negotiation Steve Dispensa
- Re: [TLS] Next protocol negotiation Adam Langley
- Re: [TLS] Next protocol negotiation Marsh Ray
- Re: [TLS] Next protocol negotiation Yoav Nir
- Re: [TLS] Next protocol negotiation Yoav Nir
- Re: [TLS] Next protocol negotiation Yoav Nir
- Re: [TLS] Next protocol negotiation Marsh Ray
- Re: [TLS] Next protocol negotiation Adam Langley
- Re: [TLS] Next protocol negotiation Adam Langley
- Re: [TLS] Next protocol negotiation Dean Anderson
- Re: [TLS] Next protocol negotiation Adam Langley
- Re: [TLS] Next protocol negotiation Dean Anderson
- Re: [TLS] Next protocol negotiation Adam Langley